Cheap WiFi Devices are Hardware Hacker Gold

Cheap consumer WiFi devices are great for at least three reasons. First, they almost all run an embedded Linux distribution. Second, they’re cheap. If you’re going to break a couple devices in the process of breaking into the things, it’s nice to be able to do so without financial fears. And third, they’re often produced on such low margins that security is an expense that the manufacturers just can’t stomach — meaning they’re often trivially easy to get into.

The hack begins with [Benajmin] finding a telnet prompt on port 11880 and simply logging in as root, with the same password that’s used across all Zsun devices: zsun1188. It’s like they want to you get in. (If you speak Chinese, you’ll recognize the numbers as being a sound-alike for “want to get rich”. So we’ve got the company name and a cliché pun. This is basically the Chinese equivalent of “password1234”.) Along the way, [Benjamin] also notes that the device executes arbitrary code typed into its web interface. Configure it to use the ESSID “reboot”, for instance, and the device reboots. Oh my!

From here [q3k] and co. took over and ported OpenWRT to the device and documented where its serial port and GPIOs are broken out on the physical board. But that’s not all. They’ve also documented how and where to attach a wired Ethernet adapter, should you want to put this thing on a non-wireless network, or use it as a bridge, or whatever. In short, it’s a tiny WiFi router and Linux box in a package that’s about the size of a (Euro coin | US quarter) and costs less than a good dinner out. Just add USB power and you’re good to go.

Post navigation

50 thoughts on “Cheap WiFi Devices are Hardware Hacker Gold”

Cute little bugger. But where are they available here in the US? I grok that the company goofed big enough to fly a starship sideways through a mountain pass, but that’s good enough only if it can be repeated.

What I wonder if there is support for developing scripts and enough free gpio pins.
If I could set up a minimal web server to read through http a i2c ADC chip, then drive other gpio lines accordingly that would make it truly interesting.

Note: no HTTPS, but that probably doesn’t matter since both the US and Chinese governments can mount a man-in-the-middle attack anyway. Just be careful about using anything other than a US credit card, preferably one with a low balance.

It’s inexpensive and amusing hacker-y but not very practical to use it as “the brains of your IoT project”. May as well just throw $10-$19 at Photon and support nice folks at Particle with all their developer support resources.

sorry didn’t mean to report comment, meant to click reply.
Photon might be nice but wouldn’t quote for shipping without me entering details, which I don’t want to do as I bet its not free shipping to the UK so I don’t really want one. China wins with its free shipping, sorry photon

Stuff like this or those ~7USD 4g mini routers https://wiki.openwrt.org/toh/unbranded/a5-v11 are great cheap stuff, but with the raspberry zero for $5 these are becoming less interesting now. Why to limit yourself to 32/64MB ram and 4/8/16MB flash when you can get 1GHZ CPU with 512MB RAM for same or lower total price including wi-fi dongle ? The power draw is similar – the pi zero draws ~60mA just like these routers with wi-fi turned off and with wi-fi on it is ~200-300mA in all cases (including esp8266)

And btw for mobile use there is also this 5 in1 Mini Portable Router (like e.g. http://www.ebay.com/itm/301701710189 ) which is exactly same as the a5-v11 but with builtin battery for $3 more. At least I flashed it with exacly same openwrt image and everything works.

What I am missing for all these is cheap power source which can be simultaneously charged and still power the device. Those cheap 18650 power banks cannot do both at the same time, there is full ebay of cheap li-pol charger boards or 5v step up boards or those power banks combining both but so far i did not find cheap board that can both charge the battery and power the board when usb power is attached.

I’ve done the ‘simultaneous charge&sourcing power’ thing with a couple of components in my “Project Alice” portable router I’m working on right now. It works great – no reboots, no power surges, it’s working exactly as you describe, though it’s anything but something pre-made. Here’s the reference circuit I used for the switching part: http://blog.zakkemble.co.uk/a-lithium-battery-charger-with-load-sharing/ . Granted, it’s not the same as re-using a portable battery pack – but it provides the information to either hack one already available or build one yourself, since it doesn’t seem so hard. Simplest idea – you don’t modify the powerbank, but add a 5V relay outside that switches the sources (and a really big capacitor, I gotta remind). Or experiment with FETs and make a simple switching circuit that does exactly what you need. If you cannot do either, there are diodes.

It’s not really cheap but i am using an adafruit power boost 1000c in my raspberry pi project and it does simultaneous charge and power for the device. Like i said it’d not cheap though. I paid about $20 for mine.

Sure it can, but there is a SPDT switch on USB, that connects SD reader usb device to the PC when it is plugged, and to the AD9331 when unplugged, but you cannot get AR9331 USB to the connector (and anyway it is USB-A) without soldering.

there are lots of such devices: vocore, olinuxino, hlk-rm04, … and many other boards on RT5350F, or routers like HAME A15 and clones, (7$ on aliexpress, with female USB connector) or Carambola and Black Swift boards with AR9331.
But 400MHz MIPS without harware acceleration is not the best choice for video compression, unless USB camera provides compressed video (http://vonger.cn).
There are also Hi3518 boards starting from 12$ with image sensor, ARM9 + hardware video compression and ethernet. This processor also have USB host, so adding 2$ USB WiFi should not be a big problem.

I brought 2 (£5/piece) as soon as I heard about 3 days ago. They arrived last night.

I bricked one, and accidentally turned off wifi on the other in openWRT.

I decided to wipe the bricked one for re-flash in uBoot… but in my inexperience I wiped the bootloader (hint: `erase all` is not idiot-proof). Now it really is toast. The pitch of the pins on the flash chip are microscopic, so not much hope of SPI reprogramming the flash chip either.

You can do a factory reset (which will enable wifi again) of the OpenWrt one by inserting and removing the SD card while it boots (when the LED is blinking slowly).
Based on my experience, I knew such a function will come in handy. ;)

I too bricked my device by not paying attention when configuring the interfaces.
But the SD card reset does not work for me. Unit powered from wallwart, when the LED starts to blink slowly I insert the card, wait for a sec, and then remove the card, but no luck. :(

for reprogramming there is this SOIC8 test clip that can be possibly used see e.g. http://www.ebay.com/itm/252201433295 I haven’t see the board so I am not sure it fits. I used it successfully to reprogram standalone W25Q64 chip http://www.ebay.com/itm/181700556507 from raspberry pi via flashrom https://flashrom.org/RaspberryPi Then I tried it to reflash memory in the A5-V11 router in place but I failed. When attaching voltage the whole device powers on and boots which messes the communication (I guess it switches the SPI chip to dual or quad mode) so I probably need to cut the power pin from the board. I wanted to upgrade the 4MB flash in that router to 8MB just to see if I can.

But maybe since your is not booting at all it will not mess the communication and could be reflashed in place?

I was attempting to upgrade with the builtin firmware update method but I am confused about .update on smb share.
I was able to mount the drive via smb (access via \\wulian) under windows but it would not let me create the .update folder. It complained that it needed a filename as it seems to think I was trying to create with only an extension. I tried with the the sdcard formatted fat32 and ext4. Any help appreciated.

I tried updating using the builtin upgrade method and the SD100-openwrt.tar.gz package. Well something went wrong and it bricked the device. No big deal as I plan on soldering an ethernet port and serial connection to the board so I can recover the device. I do have one question concerning that procedure. The instructions state “Where openwrt.bin is your rootfs+kernel image (in that order!)” I assume this means combine the files first. What is the best/proper way to do that? Even better, does that image exist somewhere?

The combined image is the one ending with -sysupgrade.bin
It is generated by buildroot, it is not a simple cat of rootfs and kernel, you need to add space between them so that the kernel address is correct.

Just upgraded to OpenWRT. Dziękuję! I couldn’t get the SMB share method to copy over to the device so I used this: Run the Workmode change and then using the web interface, upload the .tar.gz file to any directory on the device. Unless you run the Workmode change first, you’ll get an error about not being able to upload from this device. Use the telnet backdoor to login and create the /etc/disk/.update directory and the mv the .tar.gz file into that directory. Then perform the upFirmWare. Done. btw, telnet 10.168.168.1 11880 does work with standard telnet client.